Joakim Hvalby
Program Manager Information Security
Article   December 14 2022

GDPR tip 2: Keep marketing within agreed limits

The fact that GDPR was introduced in 2018 doesn’t mean that all organizations comply with it. A common mistake is that many organizations a bit into a project, or at the launch of a new product, come to the conclusion that it would be good to reach out with new information. We must always make sure to use the data within the limits for which we have obtained permission. And to be clear when the limits are set up. Joakim Hvalby, Program Manager Information Security at Junglemap writes in one of four articles with tips regarding GDPR.

Handshaking between a man and a woman in office

Foto: License Free

"This is an exciting product. Let's send out information about this to all previous customers!" A spirited marketing idea that many of us probably recognize.  

But the guidelines of the responsible authorities are clear: Personal data may only be collected for "specific, explicit and legitimate purposes".  This means that in each project we need to be clear about why, to what and for how long we should process personal data.  

In addition, the objectives must be specific and concrete, not vague or unclear. It’s not enough that the aim is solely to "improve the user experience", "cyber security" or "future research". It’s too broadly expressed, and the data subjects cannot assess what such personal data processing may entail. It’s also not enough to specify "controls" as the purpose of logging and monitoring, but also to indicate the purpose of the control.  

The purpose must also be justified. This means that the processing of personal data must have a legal basis in the General Data Protection Regulation and must be carried out in accordance with other applicable legislation and general legal principles. 

Process collected personal data in new ways?  

Of course, it’s difficult to think of all possible scenarios at the beginning of a project where personal data is collected. Often, needs appear that were difficult to predict.  

If the new needs fit within the original purposes, it’s sufficient to inform the data subjects about the new personal data processing before it begins. 

If, on the other hand, it’s a question of using the personal data in a new way, a new consent to personal data processing has to be given. Then we have to start from scratch and find a legal basis for the processing of personal data, making sure that it takes place in accordance with the basic principles and so on... 

We have now launched the 2024 version of Privacy and GDPR for all employees. A brand new course with updated content over fewer lessons, but with more interactive touch points giving your organisation's DPO a better understanding of the level of your organisations' awareness.

To increase engagement and awareness, this new course also focuses on why GDPR and privacy is important both at work – and in your private life. 

Joakim Hvalby Program Manager Information Security
Article   December 14 2022